Created
September 7, 2017 18:52
-
-
Save paolobarbolini/87cf0713b1116df75f7cce5a2a744a81 to your computer and use it in GitHub Desktop.
Nginx configuration for www.paolo565.org
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# WARNING: This is the nginx configuration i use for https://www.paolo565.org | |
# You may have to do some tweaking to make it work for you | |
# Take a look at this post if you want to know more about my configuration | |
# https://www.paolo565.org/blog/creating-my-blog/ | |
# How i generate my certificate using certbot | |
# certbot certonly --webroot -w /var/www/ssl-challenge/ -d paolo565.org,www.paolo565.org --must-staple | |
# Things i put inside the http block | |
# server_tokens off; | |
# ssl_session_tickets off; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 30s; | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name www.paolo565.org paolo565.org; | |
# Let's encrypt support | |
location ^~ /.well-known/ { | |
alias /var/www/ssl-challenge/.well-known/; | |
allow all; | |
try_files $uri $uri/ =404; | |
} | |
# Redirect http://paolo565.org and http://www.paolo565.org to https://www.paolo565.org | |
location / { | |
return 301 https://www.paolo565.org$request_uri; | |
} | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name www.paolo565.org paolo565.org; | |
ssl_certificate /etc/letsencrypt/live/paolo565.org/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/paolo565.org/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/paolo565.org/fullchain.pem; | |
# This ssl configuration gets me an A+ on ssllabs.com | |
# Generated with: | |
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 1d; | |
root /var/www/www.paolo565.org/GIT_COMMIT_HASH_OF_LAST_DEPLOY/; | |
# Redirect https://paolo565.org to https://www.paolo565.org | |
if ($host = 'paolo565.org') { | |
return 301 https://www.paolo565.org$request_uri; | |
} | |
access_log /var/log/nginx/paolo565.org.log; | |
index index.html; | |
error_page 404 /404.html; | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
# Tell the browser that pages can be cached for up to 5 minutes | |
location ~ \.html$ { | |
expires 5m; | |
} | |
# Tell the browser that static assets can be cached up to 1 year | |
# It's important to do cache busting when you update a file to make sure | |
# every browser receives it | |
location ~ \.(png|jpg|jpeg|svg|css|js)$ { | |
expires 1y; | |
} | |
# When i deploy the site i generate the gzipped version of every page with | |
# gzip SITE_FOLDER --keep -9 --recursive | |
# so i don't need nginx to compress files on the fly | |
gzip off; | |
# If the cliend supports gzip serve: REQUESTED_FILE_NAME.gz | |
gzip_static on; | |
# Security headers | |
# With these i get an A on securityheaders.io | |
add_header Strict-Transport-Security "max-age=31536000" always; | |
add_header X-Frame-Options "DENY" always; | |
add_header X-Xss-Protection "1; mode=block" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-src *;" always; | |
add_header Referrer-Policy "no-referrer-when-downgrade" always; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment